Lost Files
Lost Files is a ransomware that runs on Microsoft Windows. It is part of the HiddenTear family despite not having any code of HiddenTear in it. It is aimed at English-speaking users. Payload Transmission Lost File is distributed through a spam email that pretends to be from Microsoft and has a subject of "Virus Detection On Your Computer!". The email then proceeds to state that a Trojan horse was detected on the computer and that the recipient should download the linked to "security scanner". If the user clicks on the download button, a file called WSS.zip will be downloaded that contains a file called "Windows Security Scanner.exe" and a hidden Resources folder with a few other executables. Infection When the Windows Security Scanner program is executed, it will show a fake progress bar that pretends it's installing the software. A few minutes later, it will show what appears to be a ransom screen from the Lost Files Ransomware. This screen tells you that you need to send $500 USD in bitcoins to the 13nRGetwvc7UZF8P5KM9bWqHGK6tMk7wyf bitcoin address in order to decrypt the user's files. The ransom note saids the following: Attention!!! First of all we are terribly sorry to have encrypted your data. Because we are human too and we feel some guilt encrypting your data. We offer that we can help you decrypt it again for a small amount of Bitcoins(BTC). The amount that we need from you is 500 USD that you will transfer to our BTC account. To Get your unique tool to decrypt your files, your need to push the button below and your BTC payment address will show, transfer 500 USD in BTC to that address. After you have transfered the BTC you are going to send an email to our email address(Our email will also get displayed when pushed the button). Where you provide your BTC address of the wallet that you used to send our BTC(If you have other comments, you are welcome to say it)remerber to check your spam inbox for when we send your decryption tool. We will check it, if you have sent the BTC, you will get your decryption tool. Another thing to keep in mind is that, at some point you won't be able to get your data back again and it will be lost forever. Everything from family memories to the hard work of yours, will be washed down the toilet and it will never return. So it's strongly advised that you start paying us for helping you to decrypt it. In the case that you are a little older and don't know much about all the computer stuff then you can ask your children or grandchildren. PLEASE Look below for additional information. Needing help to get your BTC? Some resources to get started with BTC: https://coinsutra.com/buy-bitcoin-uk/ https://cryptocurrencytutors.com/getting-started-with-bitcoin/ https://gocryptowise.com/how-to-invest-in-bitcoin-the-beginner-guide/ https://blokt.com/guides/10-best-bitcoin-cryptocurrency-exchanges-2019-proven-safe-exchanges Keep in mind! When you buy BTC you should buy slightly more than 500 USD, just in case the price drops. Also you need it as sending fees which varies at times. So it's recommended to buy 510 USD worth of BTC from one of the exchanges. Then again we are sorry for what happened to you, hope you will have better luck next time! :) This wiper targets only certain file extension under the C:\Users folder. The targeted file extensions are: .txt, .doc, .docx, .xls, .index, .pdf, .zip, .rar, .css, .xlsx, .ppt, .pptx, .odt, .jpg, .bmp, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .bk, .bat, .mp3, .mp4, .wav, .wma, .avi, .divx, .mkv, .mpeg, .wmv, .mov, .jpeg, .ogg, .TXT, .DOC, .DOCX, .XLS, .INDEX, .PDF, .ZIP, .RAR, .CSS, .XLSX, .PPT, .PPTX, .ODT, .JPG, .BMP, -PNG, .CSV, .SQL, .MDB, .SLN, .PHP, .ASP, .ASPX, .HTML, .XML, .PSD, .BK, .BAT, .MP3, .MP4, .WAV, .WMA, .AVI, .DIVX, .MKV, .MPEG, .WMV, .MOV, .OGG, .JPEG Files that have been wiped by Lost Files will have the extension .Lost_Files_Encrypt appended to them. These files, though, are not encrypted, but rather have the first line removed and binary data corrupted. According to Michael Gillespie, the binary files are being corrupted because the program is using the File.ReadAllLines method to read the contents of a file into an array. As this function is meant to be used on text files, much of the read binary data is being corrupted. When "encrypting" files, Lost Files will read the file into an array as shown below. array = File.ReadAllLines(Directory_Path); It then nulls out the first line with: array0 = null; Finally, it write the data back to a new file with the .Lost_Files_Encrypt extension. It then deletes the original file. File.WriteAllLines(arg_58_0, array); As the File.ReadAllLines is meant to only work with text files, binary files such as images, docs, spreadsheets, etc will be corrupted when it writes the data back as text. It is not known if the attacker is purposely trying to corrupt data, but based on some of the strings stuffed into the program, it could be intentional. Stuffed into the malware executable is some pretty strange messages that makes it believed that the attacker purposely made this into a wiper. First we had some comments directed at security researchers and info sec such as: CyberSecurityIsAB**ch F**k Cyber Security These pieces of sh** needs to get something better to do! poverty is what caused the creation cyber security I'm From Eastern Europe You Will Never Catch Me Because I'm Too Good I'm Starving I'm Begging The Gods For This Ransomware To Work I Want To Get Out Of Poverty You Can't Be Happy And Poor It's Not HowItworks In addition there were some other strange messages about Donald Trump, Kim Kardshian: Kim Kardashian The *** Dumpster Donald Trumps Hair Line. Life Is Das Besta. Finally, while not targeting cyber security, the executable contains a PDB that shows the file code was located in a "Junk_Code_Lost_Files" folder: C:\Users\lenovo\source\repos\Junk_Code_Lost_Files\Lost_Files\Lost_Files\obj\Release\Lost_Files.pdb Category:Ransomware Category:Win32 ransomware Category:Microsoft Windows Category:Win32 Category:Win32 trojan Category:Trojan Category:Wiper Category:Win32 wiper